vufind-org · EreMaijala · Sep 2, 2020
diff --git a/module/VuFind/src/VuFind/Auth/EmailAuthenticator.php b/module/VuFind/src/VuFind/Auth/EmailAuthenticator.php
@@ -214,11 +214,6 @@ public function authenticate($hash)
             throw new AuthException('authentication_error_expired');
         }
         $linkData = json_decode($row['data'], true);
-        $row->delete();
-
-        if (time() - strtotime($row['created']) > $this->loginRequestValidTime) {
-            throw new AuthException('authentication_error_expired');
-        }
 
         // Require same session id or IP address:
         $sessionId = $this->sessionManager->getId();
@@ -228,6 +223,14 @@ public function authenticate($hash)
             throw new AuthException('authentication_error_session_ip_mismatch');
         }
 
+        // Only delete the token now that we know the requester is correct. Otherwise
+        // it may end up deleted due to e.g. safe link check by the email server.
+        $row->delete();
+
+        if (time() - strtotime($row['created']) > $this->loginRequestValidTime) {
+            throw new AuthException('authentication_error_expired');
+        }
+
         return $linkData['data'];
     }